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VOLUME 3 GENERAL TECHNICAL ADMINISTRATION 

CHAPTER 61 AIRCRAFT NETWORK SECURITY PROGRAM 

Section 1 Safety Assurance System: Evaluate the Operator’s. 14 CFR Parts III, 111/135,115, and 119 

Aircraft Network Security Program 

L O 


3-4 8 8 7 REPORTING SYSTEM(S). 

A. Program Tracking and Reporting Subsystem (PTRS) Activity" Codes. 

■ 5315 (initial); and 

■ 5314 (revision). 

B. Safe re Assurance System (SAS) Automation. This section is related to SAJ5 Elements 4.4.1 (AW). 
Avionics Special Emphasis Programs. 

3-4SSS APPLICABILITY. 

A. Aircraft Network Security Program (ANSF) Requirement. Tlie requirement for an ANSP is 
dependent on aircraft design and intended operation. An aircraft requiring an ANSP is one that is certified with a 
special condition (SC) reflected on “he aircraft Tspe Certificate Data Sheet (TODS) requiring operator actions to 
nutigate electronic security risks.. These mandator;.' actions are found in the design approval holder's JDAHJ 
maintenance or operational procedures as required by the special condition. For the purpose of this chapter, 
these aircraft will be referred to as "connected aircraft " 

B. Connected Aircraft. A connected aircraft operated under Title 14 of the Code of Federal 
Regulations (14 CFR) parts 121, 121 135.125. and 129 require an .ANSP, Operations under 14 CFR parts 91, 

125M, and 135 are not required to have an ANSP. However, parts 91 . 12 5M, and 05, as a condition for 
issuance of .an airworthiness certificate, are required to follow the DAH procedures or instructions for continued 
airworthiness (ICA) developed to meet SCs addressing electronic system security. The DAH procedures must be 
included in the maintenance and operational programs. 

NOTE: Some aircraft may have an SC for electronic security that applies lo the DAH design 
only and does not require operator action. These aircraft do net need an .ANSP or maintenance 
and operational procedures. 

3-4889 OBJECTn"E. This section contains information and guidance that “he principal avionics inspectors 
(PAT) use when evaluating an operator 's ANSP. Upon official notification that an operator intends to add 
connected aircraft to heir fleet, the PAI must consult the Flight S tandards Service (AES) Aircraft Maintenance 
Division. Avionics Branch (AFS-340) at (202) 257-1704. This will provide for early coordination to ensure all 
program requirements are met prior to issuing operations specification (OpSpec) D301. The PM is responsible 
for acceptance of he program with he concurrence of ATS-3 4 0. Personnel from he Office of Information and 
Technology Sendees (AIT) Security and Privacy Risk Management Staff (MS-020) will support AFS-3G0 in the 
evaluation. 

NOTE : B ecause of his unique applic ati on of computer technology. AFS-3 6 0 will collaborate 
with MS-020 to provide technical information technology (IT) security support. AFS-340 will 
rely on AI3-020 personnel for their expertise in IT cyber security to assist in evaluating he 
operator 's security program. The PAI will make airworthiness evaluations with assistance and 
recommendations from the assigned AFS-340 aviation safety,' inspector (ASI). 



XOTE: The PAI may require concurrence of ASIs in other specialties to assure all aspects of 
training are addressed, and to assure that the hill operations.] impact of the connected aircraft 
configuration. is assessed. 

3--I890 GENERAL. This section contains a genera] overview of he requirements for evaluating an ANSP 
under parts 121,121 1.35, 125, and 129. This section contains information and guidance about granting 
authorization fo: an operator 's ANSP. 

XOTE: OpSpec D3D1 for part 12: certificate holders does not apply to part 12511 Letter of 
Deviation Authority (LGDA) operators. It applies to U.S.-registered aircraft operated under 
part 129. and does not apply to part 129 operators that do not have U.S.-registered aircraft. It 
applies to all aircraft operated under part 129. § 129.14. 

A —IS91 ACTION. The ANSP is authorized in Op Spec D3Q1 Log in to the Web-based Operations Safety 
System (WebOPSS) and follow on-screen prompts to complete the authorization. 

3--IS92 NEW USE OF TECHNOLOGY, Previously, aircraft designers used aviation (ARINC 429 629) or 
Military Standard (MIL-STDj data buses to interconnect flight critical avionics systems. Advance connectivity 
technology was used only to support the passenger information aud entertainment systems, which were 
|physically and logically separated from the flight critical avionics systems. New aircraft designs use advanced 
technology for the ma in aircraft backbone connecting flight critical avionics as well as passenger information 
| and entertainment systems in a manner that mates the aircraft an airborne interconnected network. 

A, External Systems Access, The architecture of this aubome network may allow read and or write 
access to and or from external systems and networks, such as wireless airline operations and maintenance 
systems, satellite communications, email, the Internet, etc. Onboard wired and wireless devices may also have 
access to portions of the aircraft’s digital data buses that provide flight-critical functions. 

| NOTE: The design of these connected aucraft maizes it difficult to maintain the certificated 
configuration of the aircraft without following procedures documented in an ANSP. 

Op Spec D301 is necessary to verify drat operators have the skills, tool mg. and procedures in 
| place to accomplish the requirements of the DAffs aircraft operator security guidance. 

B. Risk. Connected aircraft have the capability to reprogram flight critical avionics components 
wirelessly aud via various data transfer mechanisms. This capability alone, or coupled with passenger 

|connectivity on the aircraft network, may result in cyber security vulnerabilities from mtentional or 
unintentional corruption of data and or systems critical to the safety and continued airworthiness of the airplane. 
| Credible examples of risks include the potential for: 

Malware to infect an aircraft system. 

An attacker to use onboard wireless to access aucraft system interfaces. 

Denial of service of wireless interfaces. 

Denial of sen/ice of safety critical systems. 

Misuse of personal devices that access a ucraft systems, and 

Misuse of off-board network connections to access aircraft system interfaces. 


13-1593 REGULATORY REQUIREMENTS. The existing regulations did not anticipate this type of system 
architecture or electronic access to aircraft systems that proride flight-critical functions. Title 14 CFR and 
current system safety assessment policy and techniques do not address potential cyber security vulnerabilities 
that unauthorized access to aucraft data buses and servers could cause. In accordance with i4 CFR part 11. § 

II 19, as described in 14 CFR part 21, § 21 16. aircraft network systems are certificated through various means, 
including but not limited to typ 1 ? certificates (TC) and Supplemental Type Certificates (STC) that include SC 
| requirements of the instructions for continued airworthiness (ICA). Title 14 CFR part 43. §43.13 requires each 
person performing maintenance, alteration, or preventive maintenance on an aircraft, engine, propeller, or 




appliance to use die methods, techniques, and practices presented in the current manufacturer’s maintenance 
manual or ICA prepared by its manufacturer: or other methods, techniques, and practices acceptable to the 
Administrator. PAIs will determine that an operator's ANSP is in compliance with applicable regulations and 
manufacturer’s instructions The manufacturer's instructions may be in the form of a recommended aircraft 
security program, airworthiness limitations (AL). or other instmefions. 

[A-4394 REFERENCES, FORA IS, AM) JOB AID S. 

A. References (cuiri'ent editions): 

Advisory Circular (AC) 119-1. Airworthiness and Operational Authorization of Aircraft Network 
Security Program (ANSP). 

RTCA DO-326A. Airworthiness Security Process Specification and DO-355, Information 
Security Guidance for Continuing Airworthiness, at htrp: wiViV.rtca.org. 

B. Forms. None. 

C. Job Aids. None. 

[i-m$ OPERATOR ACTION. 

| A. Develop an ANSP. Operators of connected aircraft must develop and maintain an ANSP that is 
sufficiently comprehensive in scope and detail to accomplish the following: 

1) Ensure that security protection is sufficient to prevent access by unauthorized sources external 
to the aircraft. 

1) Ensure that security threats specific to the certificate holder's operations are identified and 
assessed, and that risk mitigation strategies are implemented to ensure the continued airworthiness cf the 
aircraft. 


3) Prevent inadvertent or malicious changes to the aircraft network, inclu ding those possibly 
caused by maintenance activity. 

4) Prevent unauthorized access from sources onboard the aircraft. 

NOTE: AIS-020 will be the focal point for verifying the items in subparagraphs 3-4S95A1) 
through A4). 

B. Guidelines for Authorization. Operators of connected aircraft during initial certification (including 
the addition of new types of connected aircraft) should ensure that the initial compliance statement clearly 
describes the procedures that the operator will use for the ANSP. The operator must develop a section in its 
General Maintenance Manual (GMM) or other appropriate manual that provides detailed instruction on: 

E.oles and responsibilities, including persons with authority and responsibility; 

Training qualifications: 

Control of maintenance laptop ground support equipment acces s and use: 

■ Control of access to airport wired and wireless service network; 

Controlling access to Loadable Software Airplane Part (LSAP) librarian resources: 

Creating secure parts signing process and controlling access to private keys: 

■ Control monitor of physical access to aircraft; 

Control cf aircraft conformity to type design, as amended: 

■ Provisions for parts pooling and parts borrowing: 

Procedures for part exchanges within its own fleet; 




Event recognitionand response: 

Event evaluation process with considerations for program improvements: and 
| Security environment description. 

C. Verify. The PAI should encourage the operator to submit the request for authcmation for 
| Op Spec D3Q 1. along with ANSP documents at least 60 days prior to planned operation of the connected aircraft. 

Working with AFS-360. the PAI will verify that the operator has established appropriate event recognition, 
response processes, and security awareness training within then respective program area. 

13—ISSti PROCESS. PAIs. with assistance front AFS-360. will collaborate with certificate holders to determine 
the mandatory and recommenced requirements of the manufacturer 's security document 

A. Verify the Most Recent Version. Verify that the certificate holder has the most recent version of 
the manufacturer's security document. Use the following resources to determine the most recent version:: 

Airworthiness Limitation Section CALS) of the Aircraft Maintenance Manual (AMMQ. 

.Aircraft Certification Office (ADO). 

.Aircraft Evaluation Group (AEG). 

B. Compare the Requirements and Recommendations. Compare the requirements and 
recommendations in the manufacturer's security document to those in the ANSP. Verify that the certificate 
holder addresses the reqmrements. and that any recommendations appropriate to the certificate holder operations 
are included. 

| NOTE: It is not necessary for the PAI to verify the technical aspects of data security. AIS-020 
j will accomplish this during headquarters (HQ; review. 

C. Verify the Appropriate Changes. Verify that appropriate changes are reflected in the certificate 

|holder maintenance program and that the GMM or equivalent manual is revised accordingly. For example, if an 
ANSP states there is a process to validate the manufacturer 's digital signature on software parts received, that 
process should be described in the 'Parts Receiving" section of the GMM. Also, if ANSP sensitive parts are 
received from a parts pool, the parts pooling procedures should address this. 

D. Review the ANSP. During initial implementation of Op Spec D3Q1. the regional speaahst is not 
tasked to renew the ANSP. 

E. Complete the Package. The P.AI will submit the request directly to AFS-360. with a courtesy copy 
to the regional specialist. Whenever possible, to allow for the most timely and efficient review, the ANSP 
package will be submitted electronically via email with return rece ipt requested. The AFS-360 ASI will submit 

■the ANSP to the assigned AIS-020 security specialist for a concurrent review. The AFS-360 ASI and or the 

I AIS-020 security specialist may collaborate directly with the P.AI. the certificate holder, or the regional specialist 

to satisfy any issues cr concerns. When satisfied. AFS-360 will return die complete package to the P.AI with a 
cover letter recommending authorization of OpSpec D301. AES-360 will protide a courtesy copy of the cover 
letter to the regional Flight Standards specialist. 

F. Data Securin' Manager. .Although uot a requirement for every manufacturer’s security document, it 
| is critical drat the ANSP identify a data security manager The identity may be by title, organization, and office 

in the ANSP. provided the certificate holder submits a letter in writing to die certificate-holding district office 
(CHDQ) with the name and contact information for the data security manager The ANSP should state that the 
operator shall notify the CHDG within F days of subsequent changes to the data security manager. The data 
|security manager is die person with primary re sponsibility for the ANSP and serves as the focal point for 
Interface with the Federal Aviation Administration (FAA) regarding data security. 



1 3-1897 MERGERS, AC QUTSITIONS t ANB PROGRAM C HANGES. When two or more AKSPs 
consolidate because of a merger or acquisition, the consolidation of those programs is of particular importance. 
The PAI must give priority to ±e accurate consolidation of those programs. Once the PA! accepts the surviving 
|program, the operator should take action to ensure security records, reports, and logs .are maintained, archived, 
or transferred as appropriate from the existing program into the surviving program. During this transition, the 
PAI will determine the time period required for maintaining the two systems in parallel operation. The surviving 
program should have at least the same capability as the existing program The integration of the existing and 
surviving programs must maintain the integrity of the security system. 

|3-4S9 r 8 CONTRACT MAINTENANCE PROVIDERS, The operator must ensme the contract maintenance 
provider complies with its ANSP as required by part 121, § 121.363(b) or part 125, § 125.245. The operator will 
verify compliance with this requirement by use of the audit process required by its Continuing Analysis and 
Surveillance System (CASS) and Continuous Airworthiness Maintenance Program (CAMP) as required by 
U 1^1 373 and 111 1 "4. or § 125 14" e). A certificated repair station (CRS) that performs maintenance, 
preventive maintenance, or alterations for an operator that has an ANSP authorized under Op Spec D301 must 
follow the operator's program as required by 14 CFRpart 145. § 145.205. 

[S-im TASK OUTCOMES. 

1 A. Complete the PTRS. Use PTRS code 5315 for initial ANSP authorization or 5316 for revision 
thereof. In the “National Use'' field, enter ''ANSP Init" for initial authorization or “ANSP Rev'' for any revisions 
| to OpSpee D301 or any significant security program revisions even if OpSpec D3C1 is not revised. The PAI 
must document all reasons to deny the authorization m the comments section of the PTE.S record. 

B. Future Activities. Routine surveillance can be found in SAS Elements 4.6.1 (AW). Avionics 
I Special Emphasis Program. PAIs will conduct periodic routine surveillance of an operator's ANSP to verify that 
the operator maintains network security and that the operator has made no significant changes to the program 
|without PA concurrence. PAIs will verify that the records and security logs continue to contain the required 
information to show compliance. If the operator maizes changes to the ANSP (even when the change is driven by 
a revision to the manufacturer's security document), or adds additional models of connected aircraft the P.AI 
will consult .AF S-3 60 to determine if the program requires re evaluation. In accordance with Volume 5. Chapter 
IS. Section 2 of this order, any changes requiring re-issuance of D301 requires AFS-360 approval. As new 
connected aircraft are delivered to operators. AFS-360 is taking a proactive approach to reach out to the affected 
SP.AIs to inform, and assist rhem in initial implementation of OpSpec D301. 

| NOTE: AIS-Q20 may provide additional recommended surveillance tasks m the future. 

§ RE SER^TD. Paragraphs 3-4900 through 3-491S. 



